# create an osbs server
- import_playbook:  "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=osbs-stg"
  tags:
    - make_boxes

- name: make the box be real
  hosts: osbs-stg
  user: root
  gather_facts: True

  vars_files:
    - /srv/web/infra/ansible/vars/global.yml
    - "/srv/private/ansible/vars.yml"
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

  roles:
    - base
    - rkhunter
    - nagios_client
    - hosts
    - fas_client
    - collectd/base
    - rsyncd
    - sudo

  tasks:
    - import_tasks: "{{ tasks_path }}/yumrepos.yml"
    - import_tasks: "{{ tasks_path }}/2fa_client.yml"
    - import_tasks: "{{ tasks_path }}/motd.yml"

  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"

# Prepare the Control host to be able to run ansible-ansible-openshift-ansible
# against the Orchestration and Worker cluster machines
- name: OSBS control hosts pre-req setup
  hosts: osbs-control-stg
  tags:
    - osbs-orchestrator-prereq
  user: root
  gather_facts: True

  vars_files:
    - /srv/web/infra/ansible/vars/global.yml
    - "/srv/private/ansible/vars.yml"
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

  tasks:
    - name: deploy private key to control hosts
      copy:
        src: "{{private}}/files/osbs/{{env}}/control_key"
        dest: "/root/.ssh/id_rsa"
        owner: root
        mode: 0600

    - name: set ansible to use pipelining
      ini_file:
        dest: /etc/ansible/ansible.cfg
        section: ssh_connection
        option: pipelining
        value: "True"

    - name: Install necessary packages that openshift-ansible control host needs
      package: name="{{ item }}" state=installed
      with_items:
        - ansible
        - git
        - python-passlib
        - java-1.8.0-openjdk-headless
        - httpd-tools

# This section sets up the SSL Certs for "public facing" which is how Koji will
# interact with the OSBS Orchestration cluster. This is not needed on the worker
# clusters.
- name: Setup orchestrator cluster masters pre-reqs
  hosts: osbs-masters-stg
  tags:
    - osbs-orchestrator-prereq
  user: root
  gather_facts: True

  vars_files:
    - /srv/web/infra/ansible/vars/global.yml
    - "/srv/private/ansible/vars.yml"
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

  tasks:
    - name: ensure origin conf dir exists
      file:
        path: "/etc/origin"
        state: "directory"

    - name: create cert dir for openshift public facing REST API SSL
      file:
        path: "/etc/origin/master/named_certificates"
        state: "directory"

    - name: install cert for openshift public facing REST API SSL
      copy:
        src: "{{private}}/files/osbs/{{env}}/osbs-internal.pem"
        dest: "/etc/origin/master/named_certificates/{{osbs_url}}.pem"

    - name: install key for openshift public facing REST API SSL
      copy:
        src: "{{private}}/files/osbs/{{env}}/osbs-internal.key"
        dest: "/etc/origin/master/named_certificates/{{osbs_url}}.key"

    - name: place htpasswd file
      copy:
        src: "{{private}}/files/httpd/osbs-{{env}}.htpasswd"
        dest: "{{ oa_htpasswd_file }}"


# This installs required pre-reqs and deploys the Controler's public key to all
# machines in both the Orchestrator and Worker clusters in order to allow
# ansible-ansible-openshift-ansible to be run against them
- name: Setup cluster hosts pre-reqs
  hosts: osbs-orchestrators-stg:osbs-workers-stg
  tags:
    - osbs-orchestrator-prereq
  user: root
  gather_facts: True

  vars_files:
    - /srv/web/infra/ansible/vars/global.yml
    - "/srv/private/ansible/vars.yml"
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

  handlers:
    - name: restart NetworkManager
      service:
        name: NetworkManager
        state: restarted

  roles:
    - role: openshift-prerequisites

  tasks:
    - name: Install necessary packages that openshift-ansible needs
      package: name="{{ item }}" state=installed
      with_items:
        - tar
        - rsync
        - python3-dbus
        - NetworkManager
        - libselinux-python3
        - python3-PyYAML
        - java-1.8.0-openjdk-headless

    - name: Deploy controller public ssh keys to osbs cluster hosts
      authorized_key:
        user: root
        key: "{{ lookup('file', '{{private}}/files/osbs/{{env}}/control_key.pub') }}"

    # This is required for OpenShift built-in SkyDNS inside the overlay network
    # of the cluster
    - name: ensure NM_CONTROLLED is set to "yes" for osbs cluster
      lineinfile:
        dest: "/etc/sysconfig/network-scripts/ifcfg-eth0"
        line: "NM_CONTROLLED=yes"
      notify:
        - restart NetworkManager

    # This is required for OpenShift built-in SkyDNS inside the overlay network
    # of the cluster
    - name: ensure NetworkManager is enabled and started
      service:
        name: NetworkManager
        state: started
        enabled: yes

    - name: cron entry to clean up docker storage
      copy:
        src: "{{files}}/osbs/cleanup-docker-storage"
        dest: "/etc/cron.d/cleanup-docker-storage"

    - name: copy docker-storage-setup config
      copy:
        src: "{{files}}/osbs/docker-storage-setup"
        dest:  "/etc/sysconfig/docker-storage-setup"
      when: env == "production"

    - name: copy docker-storage-setup config
      copy:
        src: "{{files}}/osbs/docker-storage-setup.staging"
        dest:  "/etc/sysconfig/docker-storage-setup"
      when: env == "staging"


# This keytab needs to be on any system that is going to talk to koji and
# unfortunately, that's all of them.
- name: Deploy kerberose keytab to cluster hosts
  hosts: osbs-masters-stg:osbs-nodes-stg:osbsworker-masters-stg:osbsworker-nodes-stg
  tags:
    - osbs-cluster-prereq
  user: root
  gather_facts: True

  vars_files:
    - /srv/web/infra/ansible/vars/global.yml
    - "/srv/private/ansible/vars.yml"
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

  roles:
  - role: keytab/service
    owner_user: root
    owner_group: root
    service: osbs
    host: "osbs.stg.fedoraproject.org"
    when: env == "staging"

- name: Deploy OpenShift Clusters
  hosts: osbs-control-stg
  tags:
    - osbs-deploy-openshift
  user: root
  gather_facts: True

  vars_files:
    - /srv/web/infra/ansible/vars/global.yml
    - "/srv/private/ansible/vars.yml"
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

  roles:
  - role: ansible-ansible-openshift-ansible
    cluster_inventory_filename: "orchestrator-cluster-inventory-stg"
    openshift_htpasswd_file: "{{ oa_htpasswd_file }}"
    openshift_master_public_api_url: "https://{{ osbs_url }}:8443"
    openshift_release: "{{ origin_release }}"
    openshift_ansible_path: "/root/openshift-ansible"
    openshift_ansible_playbook: "playbooks/byo/config.yml"
    openshift_ansible_version: "{{ oa_version }}"
    openshift_ansible_ssh_user: "{{ oa_ssh_user }}"
    openshift_ansible_install_examples: "{{ oa_install_examples }}"
    openshift_ansible_containerized_deploy: "{{ oa_containerized_deploy }}"
    openshift_cluster_masters_group: "osbs-masters-stg"
    openshift_cluster_nodes_group: "osbs-nodes-stg"
    openshift_cluster_infra_group: "osbs-masters-stg"
    openshift_auth_profile: "{{ oa_auth_profile }}"
    openshift_cluster_url: "{{ osbs_url }}"
    openshift_master_ha: false
    openshift_debug_level: "{{ oa_debug_level }}"
    openshift_shared_infra: true
    openshift_deployment_type: "origin"
    openshift_metrics_deploy: true
    openshift_ansible_python_interpreter: "/usr/bin/python3"
    openshift_nodeselectors: "{{ osbs_orchestrator_nodeselector_labels }}"
    when: env == 'staging'
    tags: ['openshift-cluster','ansible-ansible-openshift-ansible']

  - role: ansible-ansible-openshift-ansible
    cluster_inventory_filename: "x86-64-worker-cluster-inventory-stg"
    openshift_htpasswd_file: "{{ oa_htpasswd_file }}"
    openshift_master_public_api_url: "https://{{ osbsworker_x86_64_url }}:8443"
    openshift_release: "{{ origin_release }}"
    openshift_ansible_path: "/root/openshift-ansible"
    openshift_ansible_playbook: "playbooks/byo/config.yml"
    openshift_ansible_version: "{{ oa_version }}"
    openshift_ansible_ssh_user: "{{ oa_ssh_user }}"
    openshift_ansible_install_examples: "{{ oa_install_examples }}"
    openshift_ansible_containerized_deploy: "{{ oa_containerized_deploy }}"
    openshift_cluster_masters_group: "osbsworker-x86-64-masters-stg"
    openshift_cluster_nodes_group: "osbsworker-x86-64-nodes-stg"
    openshift_cluster_infra_group: "osbsworker-x86-64-masters-stg"
    openshift_auth_profile: "{{ oa_auth_profile }}"
    openshift_cluster_url: "{{ osbsworker_x86_64_url }}"
    openshift_master_ha: false
    openshift_debug_level: "{{ oa_debug_level }}"
    openshift_shared_infra: true
    openshift_deployment_type: "origin"
    openshift_metrics_deploy: true
    openshift_ansible_python_interpreter: "/usr/bin/python3"
    openshift_nodeselectors: "{{ osbs_worker_nodeselector_labels }}"
    when: env == 'staging'
    tags: ['openshift-cluster','ansible-ansible-openshift-ansible']

- name: Setup OSBS requirements for OpenShift cluster hosts
  hosts: osbs-orchestrators-stg:osbs-workers-stg
  tags:
    - osbs-cluster-req
  user: root
  gather_facts: True

  vars_files:
    - /srv/web/infra/ansible/vars/global.yml
    - "/srv/private/ansible/vars.yml"
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

  roles:
  - role: osbs-common
    osbs_manage_firewalld: false

  - role: osbs-atomic-reactor

  - role: push-docker
    docker_cert_name: "containerbuild"
    docker_cert_dir: "/etc/docker/certs.d/{{ candidate_registry }}"
    when: env == "staging"

  # The images that come out of the builds need to be pushed somwhere
  - role: "manage-container-images"
    cert_dest_dir: "/etc/docker/certs.d/{{ candidate_registry }}"
    cert_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.pem"
    key_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.key"
    when: env == "staging"

  handlers:
    - name: restart dnsmasq
      service:
        name: dnsmasq
        state: restarted

  tasks:

    - name: ensure dnsmasq is installed
      package:
        name: dnsmasq
        state: latest

    - name: install fedora dnsmasq specific config
      copy:
        src: "{{files}}/osbs/fedora-dnsmasq.conf.{{env}}"
        dest: "/etc/dnsmasq.d/fedora-dns.conf"
      notify:
        - restart dnsmasq

- name: setup orchestrator namespace
  hosts: osbs-masters-stg[0]
  tags:
    - osbs-cluster-req
    - orchestrator-namespace
  user: root
  gather_facts: True

  vars_files:
    - /srv/web/infra/ansible/vars/global.yml
    - "/srv/private/ansible/vars.yml"
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

  vars:
    osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig
    osbs_environment:
      KUBECONFIG: "{{ osbs_kubeconfig_path }}"
    koji_pki_dir: /etc/pki/koji
    koji_ca_cert_path: "{{koji_pki_dir}}/fedora-server-ca.cert"
    koji_cert_path: "{{koji_pki_dir}}/fedora-builder.pem"
    koji_builder_user: dockerbuilder
    osbs_secret_name: kojisecret
    osbs_secret_service_account: "{{ osbs_builder_user }}"
    osbs_secret_remote_dir: /var/lib/origin
    osbs_secret_can_fail: false

  roles:
  - role: osbs-namespace
    osbs_namespace: "{{ osbs_orchestrator_namespace }}"
    osbs_openshift_home: "{{ openshift_home}}"
    osbs_kubeconfig_path: "{{ kubeconfig_path }}"
    osbs_generated_config_path: "{{ generated_config_path }}"
    osbs_environmnet: "{{ osbs_env }}"
    osbs_is_admin: "{{ osbs_admin }}"
    osbs_service_accounts: "{{ osbs_orchestrator_service_accounts }}"
    osbs_cpu_limitrange: "{{ os_cpu_limitrange }}"
    osbs_admin_groups: "{{ os_admin_groups }}"
    osbs_admin_users: "{{ os_admin_users }}"
    osbs_readonly_groups: "{{ osbs_orchestrator_readonly_groups }}"
    osbs_readonly_users: "{{ osbs_orchestrator_readonly_groups }}"
    osbs_readwrite_groups: "{{ osbs_orchestrator_readwrite_groups }}"
    osbs_readwrite_users: "{{ osbs_orchestrator_readwrite_users }}"
    osbs_orchestrator: true
    osbs_worker_clusters: "{{ worker_clusters }}"
    osbs_koji_secret_name: "{{ koji_secret_name }}"
    osbs_distribution_scope: "{{ distribution_scope }}"
    osbs_authoritative_registry: "{{ authoritative_registry }}"
    osbs_koji_hub: "{{ koji_hub }}"
    osbs_koji_root: "{{ koji_root }}"
    osbs_registry_api_versions: "{{ registry_api_versions }}"
    osbs_registry_uri: "{{ candidate_registry }}"
    osbs_source_registry_uri: "{{ stable_registry }}"
    osbs_build_json_dir: "{{ build_json_dir }}"
    osbs_sources_command: "fedpkg sources"
    osbs_nodeselector: "{{ osbs_orchestrator_default_nodeselector|default('') }}"

- name: setup worker namespace
  hosts: osbsworker-x86-64-masters-stg[0]
  tags:
    - osbs-cluster-req
    - worker-namespace
  user: root
  gather_facts: True

  vars_files:
    - /srv/web/infra/ansible/vars/global.yml
    - "/srv/private/ansible/vars.yml"
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

  vars:
    osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig
    osbs_environment:
      KUBECONFIG: "{{ osbs_kubeconfig_path }}"
    koji_pki_dir: /etc/pki/koji
    koji_ca_cert_path: "{{koji_pki_dir}}/fedora-server-ca.cert"
    koji_cert_path: "{{koji_pki_dir}}/fedora-builder.pem"
    koji_builder_user: dockerbuilder
    osbs_builder_user: builder
    osbs_secret_name: kojisecret
    osbs_secret_service_account: "{{ osbs_builder_user }}"
    osbs_secret_remote_dir: /var/lib/origin
    osbs_secret_can_fail: false

  roles:
  - role: osbs-namespace
    osbs_namespace: "{{ osbs_worker_namespace }}"
    osbs_openshift_home: "{{ openshift_home}}"
    osbs_kubeconfig_path: "{{ kubeconfig_path }}"
    osbs_generated_config_path: "{{ generated_config_path }}"
    osbs_environmnet: "{{ osbs_env }}"
    osbs_is_admin: "{{ osbs_admin }}"
    osbs_service_accounts: "{{ osbs_worker_service_accounts }}"
    osbs_admin_groups: "{{ os_admin_groups }}"
    osbs_admin_users: "{{ os_admin_users }}"
    osbs_readonly_groups: "{{ osbs_worker_readonly_groups }}"
    osbs_readonly_users: "{{ osbs_worker_readonly_groups }}"
    osbs_readwrite_groups: "{{ osbs_worker_readwrite_groups }}"
    osbs_readwrite_users: "{{ osbs_worker_readwrite_users }}"
    osbs_orchestrator: false
    osbs_worker_clusters: "{{ worker_clusters }}"
    osbs_koji_secret_name: "{{ koji_secret_name }}"
    osbs_distribution_scope: "{{ distribution_scope }}"
    osbs_authoritative_registry: "{{ authoritative_registry }}"
    osbs_koji_hub: "{{ koji_hub }}"
    osbs_koji_root: "{{ koji_root }}"
    osbs_registry_api_versions: "{{ registry_api_versions }}"
    osbs_registry_uri: "{{ candidate_registry }}"
    osbs_source_registry_uri: "{{ stable_registry }}"
    osbs_build_json_dir: "{{ build_json_dir }}"
    osbs_sources_command: "fedpkg sources"
    osbs_cpu_limitrange: "{{ os_cpu_limitrange }}"
    osbs_nodeselector: "{{ osbs_orchestrator_default_nodeselector|default('') }}"

- name: Setup Koji auth for OSBS Orchestrator Cluster
  hosts: osbs-masters-stg[0]
  tags:
    - osbs-master-req
  user: root
  gather_facts: True

  vars_files:
    - /srv/web/infra/ansible/vars/global.yml
    - "/srv/private/ansible/vars.yml"
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml


  tasks:
    - name: set policy for koji builder in openshift for osbs
      shell: "oadm policy add-role-to-user -n {{ osbs_orchestrator_namespace }} edit htpasswd_provider: {{ osbs_koji_stg_username }} && touch /etc/origin/koji-builder-policy-added"
      args:
        creates: "/etc/origin/koji-builder-policy-added"
      when: env == "staging"

    - name: set policy for koji builder in openshift for atomic-reactor
      shell: "oadm policy add-role-to-user -n {{ osbs_orchestrator_namespace }} edit system:serviceaccount:{{osbs_orchestrator_namespace}}:{{osbs_builder_user}} && touch /etc/origin/atomic-reactor-policy-added"
      args:
        creates: "/etc/origin/atomic-reactor-policy-added"

- name: Setup Koji auth for OSBS Worker Cluster
  hosts: osbsworker-x86-64-masters-stg[0]
  tags:
    - osbs-master-req
  user: root
  gather_facts: True

  vars_files:
    - /srv/web/infra/ansible/vars/global.yml
    - "/srv/private/ansible/vars.yml"
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml


  tasks:
    - name: set policy for koji builder in openshift for osbs
      shell: "oadm policy add-role-to-user -n {{ osbs_worker_namespace }} edit htpasswd_provider: {{ osbs_koji_stg_username }} && touch /etc/origin/koji-builder-policy-added"
      args:
        creates: "/etc/origin/koji-builder-policy-added"
      when: env == "staging"

    - name: set policy for koji builder in openshift for atomic-reactor
      shell: "oadm policy add-role-to-user -n {{ osbs_worker_namespace }} edit system:serviceaccount:{{osbs_orchestrator_namespace}}:{{osbs_builder_user}} && touch /etc/origin/atomic-reactor-policy-added"
      args:
        creates: "/etc/origin/atomic-reactor-policy-added"

- name: post-install orchestrator master host osbs tasks
  hosts: osbs-masters-stg[0]
  tags:
    - osbs-post-install
  vars_files:
    - /srv/web/infra/ansible/vars/global.yml
    - /srv/private/ansible/vars.yml
    - /srv/private/ansible/files/openstack/passwords.yml
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
  vars:
    osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig
    osbs_environment:
      KUBECONFIG: "{{ osbs_kubeconfig_path }}"
    koji_pki_dir: /etc/pki/koji
    koji_ca_cert_path: "{{koji_pki_dir}}/fedora-server-ca.cert"
    koji_cert_path: "{{koji_pki_dir}}/fedora-builder.pem"
    koji_builder_user: dockerbuilder
    osbs_builder_user: builder


  handlers:
    - name: oc secrets new
      shell: "oc secrets new koji cert={{ koji_cert_path }} ca={{ koji_ca_cert_path }} serverca={{ koji_ca_cert_path }} --namespace={{ osbs_orchestrator_namespace }}"
      environment: "{{ osbs_environment }}"
      notify: oc secrets add

    - name: oc secrets add
      shell: "oc secrets add serviceaccount/{{ osbs_builder_user }} secrets/koji --for=mount --namespace={{osbs_orchestrator_namespace}}"
      environment: "{{ osbs_environment }}"

  tasks:
    - name: Ensure koji dockerbuilder cert path exists
      file:
        path: "{{ koji_pki_dir }}"
        state: "directory"
        mode: 0400

    - name: Add koji dockerbuilder cert for Content Generator import
      copy:
        src: "{{private}}/files/koji/containerbuild.pem"
        dest: "{{ koji_cert_path }}"
      notify: oc secrets new

    - name: Add koji dockerbuilder ca cert for Content Generator import
      copy:
        src: "{{private}}/files/koji/buildercerts/fedora-ca.cert"
        dest: "{{ koji_ca_cert_path }}"
      notify: oc secrets new

    - name: cron entry to clean up old builds
      copy:
        src: "{{files}}/osbs/cleanup-old-osbs-builds"
        dest: "/etc/cron.d/cleanup-old-osbs-builds"

- name: post-install worker master host osbs tasks
  hosts: osbsworker-x86-64-masters-stg[0]
  tags:
    - osbs-post-install
  vars_files:
    - /srv/web/infra/ansible/vars/global.yml
    - /srv/private/ansible/vars.yml
    - /srv/private/ansible/files/openstack/passwords.yml
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
  vars:
    osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig
    osbs_environment:
      KUBECONFIG: "{{ osbs_kubeconfig_path }}"
    koji_pki_dir: /etc/pki/koji
    koji_ca_cert_path: "{{koji_pki_dir}}/fedora-server-ca.cert"
    koji_cert_path: "{{koji_pki_dir}}/fedora-builder.pem"
    koji_builder_user: dockerbuilder
    osbs_builder_user: builder


  handlers:
    - name: oc secrets new
      shell: "oc secrets new koji cert={{ koji_cert_path }} ca={{ koji_ca_cert_path }} serverca={{ koji_ca_cert_path }} --namespace={{osbs_worker_namespace}}"
      environment: "{{ osbs_environment }}"
      notify: oc secrets add

    - name: oc secrets add
      shell: "oc secrets add serviceaccount/{{ osbs_builder_user }} secrets/koji --for=mount --namespace={{osbs_worker_namespace}}"
      environment: "{{ osbs_environment }}"

  tasks:
    - name: Ensure koji dockerbuilder cert path exists
      file:
        path: "{{ koji_pki_dir }}"
        state: "directory"
        mode: 0400

    - name: Add koji dockerbuilder cert for Content Generator import
      copy:
        src: "{{private}}/files/koji/containerbuild.pem"
        dest: "{{ koji_cert_path }}"
      notify: oc secrets new

    - name: Add koji dockerbuilder ca cert for Content Generator import
      copy:
        src: "{{private}}/files/koji/buildercerts/fedora-ca.cert"
        dest: "{{ koji_ca_cert_path }}"
      notify: oc secrets new

    - name: cron entry to clean up old builds
      copy:
        src: "{{files}}/osbs/cleanup-old-osbs-builds"
        dest: "/etc/cron.d/cleanup-old-osbs-builds"

- name: Manage docker images and image stream
  hosts: osbs-masters-stg[0]:osbsworker-x86-64-masters-stg[0]
  tags:
    - osbs-post-install
    - manage-docker-images
  vars_files:
    - /srv/web/infra/ansible/vars/global.yml
    - /srv/private/ansible/vars.yml
    - /srv/private/ansible/files/openstack/passwords.yml
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
  vars:
    osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig
    osbs_environment:
      KUBECONFIG: "{{ osbs_kubeconfig_path }}"
    koji_pki_dir: /etc/pki/koji
    koji_ca_cert_path: "{{koji_pki_dir}}/fedora-server-ca.cert"
    koji_cert_path: "{{koji_pki_dir}}/fedora-builder.pem"
    koji_builder_user: dockerbuilder

  tasks:
    # NOTE: Need to delegate to compose-x86-01.phx2.fedoraproject.org for prod
    #       because the push keys are split for each env
    - name: skopeo sync openshift required docker images
      shell: "skopeo copy docker://docker.io/{{item}}:{{origin_release}} docker://{{candidate_registry}}/{{item}}:{{origin_release}}"
      with_items: "{{openshift_required_images}}"
      delegate_to: composer.stg.phx2.fedoraproject.org
      register: docker_pull_openshift_delegated
      changed_when: "'Skipping fetch of repeat blob' not in docker_pull_openshift_delegated.stdout"
      when: env == "staging"

    - name: create fedora image stream for OpenShift
      shell: "echo '{ \"apiVersion\": \"v1\", \"kind\": \"ImageStream\", \"metadata\": { \"name\": \"fedora\" }, \"spec\": { \"dockerImageRepository\": \"{{candidate_registry}}/fedora\" } }' | oc create -f - && touch /etc/origin/fedoraimagestreamcreated"
      environment: "{{ osbs_environment }}"
      args:
        creates: /etc/origin/fedoraimagestreamcreated

- name: post-install osbs tasks
  hosts: osbs-orchestrators-stg:osbs-workers-stg
  tags:
    - osbs-post-install
  vars_files:
    - /srv/web/infra/ansible/vars/global.yml
    - /srv/private/ansible/vars.yml
    - /srv/private/ansible/files/openstack/passwords.yml
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
  vars:
    osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig
    osbs_environment:
      KUBECONFIG: "{{ osbs_kubeconfig_path }}"
    koji_pki_dir: /etc/pki/koji
    koji_ca_cert_path: "{{koji_pki_dir}}/fedora-server-ca.cert"
    koji_cert_path: "{{koji_pki_dir}}/fedora-builder.pem"
    koji_builder_user: dockerbuilder
    osbs_builder_user: builder


  handlers:
    - name: buildroot container
      shell: 'docker rmi buildroot; docker build --no-cache --rm -t buildroot /etc/osbs/buildroot/'

    - name: restart docker
      service:
        name: docker
        state: restarted

    - name: systemctl daemon-reload
      shell: 'systemctl daemon-reload'

  roles:
    - {
      role: osbs-client,
        general: {
          verbose: 0,
          build_json_dir: '/etc/osbs/input/',
          openshift_required_version: 1.1.0,
        },
        default: {
          username: "{{ osbs_koji_stg_username }}",
          password: "{{ osbs_koji_stg_password }}",
          koji_use_kerberos: True,
          koji_kerberos_keytab: "FILE:/etc/krb5.osbs_{{osbs_url}}.keytab",
          koji_kerberos_principal: "osbs/{{osbs_url}}@{{ipa_realm}}",
          openshift_url: 'https://{{osbs_url}}/',
          registry_uri: 'https://{{candidate_registry}}/v2',
          source_registry_uri: 'https://{{stable_registry}}/v2',
          build_host: '{{osbs_url}}',
          koji_root: '{{koji_root}}',
          koji_hub: '{{koji_hub}}',
          sources_command: 'fedpkg sources',
          build_type: 'prod',
          authoritative_registry: '{{stable_registry}}',
          vendor: 'Fedora Project',
          verify_ssl: true,
          use_auth: true,
          builder_use_auth: true,
          distribution_scope: 'private',
          registry_api_versions: 'v2',
          builder_openshift_url: 'https://{{osbs_url}}',
          namespace: 'osbs',
          can_orchestrate: true
        },
      when: env == "staging"
      }

  tasks:
    - name: copy docker iptables script
      copy:
        src: "{{files}}/osbs/fix-docker-iptables.{{ env }}"
        dest: /usr/local/bin/fix-docker-iptables
        mode: 0755
      notify:
        - restart docker

    - name: copy docker service config
      copy:
        src: "{{files}}/osbs/docker.custom.service"
        dest: /etc/systemd/system/docker.service.d/custom.conf
      notify:
        - systemctl daemon-reload
        - restart docker

    - name: ensure docker is running
      service:
        name: docker
        state: started
        enabled: yes

    - name: set nrpe read access for osbs.conf for nagios monitoring
      acl: name={{ osbs_client_conf_path }} entity=nrpe etype=user permissions=r state=present

    - name: Create buildroot container conf directory
      file:
        path: "/etc/osbs/buildroot/"
        state: directory

    - name: Upload Dockerfile for buildroot container
      template:
        src: "{{ files }}/osbs/buildroot-Dockerfile-{{env}}.j2"
        dest: "/etc/osbs/buildroot/Dockerfile"
        mode: 0400
      notify:
        - buildroot container

    - name: Upload internal CA for buildroot
      copy:
        src: "{{private}}/files/osbs/{{env}}/osbs-internal.pem"
        dest: "/etc/osbs/buildroot/ca.crt"
        mode: 0400
      notify:
        - buildroot container

    - name: stat infra repofile
      stat:
        path: "/etc/yum.repos.d/infra-tags.repo"
      register: infra_repo_stat

    - name: stat /etc/osbs/buildroot/ infra repofile
      stat:
        path: "/etc/osbs/buildroot/infra-tags.repo"
      register: etcosbs_infra_repo_stat

    - name: remove old /etc/osbs/buildroot/ infra repofile
      file:
        path: "/etc/osbs/buildroot/infra-tags.repo"
        state: absent
      when: etcosbs_infra_repo_stat.stat.exists and infra_repo_stat.stat.checksum != etcosbs_infra_repo_stat.stat.checksum

    - name: Copy repofile for buildroot container (because Docker)
      copy:
        src: "/etc/yum.repos.d/infra-tags.repo"
        dest: "/etc/osbs/buildroot/infra-tags.repo"
        remote_src: true
      notify:
        - buildroot container
      when: etcosbs_infra_repo_stat.stat.exists == false

    - name: stat /etc/ keytab
      stat:
        path: "/etc/krb5.osbs_{{osbs_url}}.keytab"
      register: etc_kt_stat

    - name: stat /etc/osbs/buildroot/ keytab
      stat:
        path: "/etc/osbs/buildroot/krb5.osbs_{{osbs_url}}.keytab"
      register: etcosbs_kt_stat

    - name: remove old hardlink to /etc/osbs/buildroot/ keytab
      file:
        path: "/etc/osbs/buildroot/krb5.osbs_{{osbs_url}}.keytab"
        state: absent
      when: etcosbs_kt_stat.stat.exists and etc_kt_stat.stat.checksum != etcosbs_kt_stat.stat.checksum

    - name: Hardlink keytab for buildroot container (because Docker)
      file:
        src: "/etc/krb5.osbs_{{osbs_url}}.keytab"
        dest: "/etc/osbs/buildroot/krb5.osbs_{{osbs_url}}.keytab"
        state: hard
      notify:
        - buildroot container
      when: etcosbs_kt_stat.stat.exists == false

    - name: pull openshift required docker images
      shell: "docker pull {{candidate_registry}}/{{item}}:{{origin_release}}"
      with_items: "{{openshift_required_images}}"
      register: docker_pull_openshift
      changed_when: "'Downloaded newer image' in docker_pull_openshift.stdout"

    - name: pull fedora required docker images
      shell: "docker pull {{stable_registry}}/{{item}}"
      with_items: "{{fedora_required_images}}"
      register: docker_pull_fedora
      changed_when: "'Downloaded newer image' in docker_pull_fedora.stdout"

    - name: tag openshift required docker images locally
      shell: "docker tag {{candidate_registry}}/{{item}}:{{origin_release}} {{item}}:{{origin_release}}"
      with_items: "{{openshift_required_images}}"
      when: docker_pull_openshift|changed

    - set_fact:
        docker_pull_openshift: "{{ docker_pull_openshift }}"


- name: Post-Install image stream refresh
  hosts: osbs-masters-stg[0]
  tags:
    - osbs-post-install
  vars_files:
    - /srv/web/infra/ansible/vars/global.yml
    - /srv/private/ansible/vars.yml
    - /srv/private/ansible/files/openstack/passwords.yml
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

  tasks:
    - name: refresh fedora image streams
      shell: "oc import-image fedora --all"
      when: env == "staging" and hostvars[groups["osbs-masters-stg"][0]]["docker_pull_fedora"]|changed

    - name: enable nrpe for monitoring (noc01)
      iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.41 state=present jump=ACCEPT

    - name: enable nrpe for monitoring (noc01.stg)
      iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.128.38 state=present jump=ACCEPT
